Social media account takeover

By the Scampilot team · Last updated 14 June 2026

An attacker hijacks a social media or messaging account, then uses the trust of its contacts to spread further. A common trick is a "friend" asking you to forward a verification code, vote in a contest, or lend money because they are locked out - in reality the code lets the attacker take over your account next. Once they control it, they target your friends.

How it works

An attacker who already controls a friend's account messages you, sounding just like them. They ask for a small favour: vote for them in a competition, or confirm a code that was sent to you by mistake.

That code is actually the verification or password-reset code for your own account. The moment you forward it, the attacker resets your login, locks you out and starts the same routine on everyone in your contacts.

Why it works and who is targeted

The request comes from a real friend's account, so it feels completely safe - you are not talking to a stranger but to someone you trust. The favour sounds tiny and harmless, which lowers any suspicion.

Anyone with an online account is a potential target, but people who are quick to help friends, and those less familiar with how login codes work, are most at risk. The scam scales by turning each new victim into a launchpad for the next.

Red flags in detail

Any request to share a verification code, one-time password or reset code is the brightest red flag - those codes are only ever for you, never for anyone else. Be alert when a contact suddenly needs help getting back into an account, or asks you to vote via a strange link.

Messages that create urgency, ask for money, or sound slightly off in tone or wording suggest the account is compromised. A request that arrives only by chat, with the friend unable to take a call, is especially suspicious.

What to do and how to stay safe

Never share a login or verification code with anyone, no matter who appears to be asking. If a friend's message seems off, verify through another channel - call them or message a different way before doing anything.

Protect your own accounts with strong, unique passwords and turn on two-factor authentication, ideally with an app rather than text messages. If you receive a code you did not request, treat it as an attempt against you and ignore it.

Warning signs

A contact asks you to send a verification code or one-time password.
A "friend" says they are locked out and needs your help to get back in.
You are asked to vote in a contest through an unfamiliar link.
A code you never requested arrives, then someone asks you to forward it.
The message creates urgency or asks for money and avoids a phone call.

Example

Hey, so sorry to bother you! I am locked out of my account and the help system sent the verification code to your number by mistake. Did you send me this code? Can you send me the code so I can verify and get back in? You are the only contact I have left.

Made-up example - not a real message.

How to protect yourself

01Never share verification codes or one-time passwords with anyone.
02Verify odd messages from friends through a separate channel like a phone call.
03Turn on two-factor authentication, ideally using an authenticator app.
04Use strong, unique passwords for each of your accounts.

Already caught out?

01Try to reset your password immediately and sign out all other sessions.
02Warn your contacts that your account may be sending scam messages.
03Use the platform recovery and report tools, and enable two-factor authentication.

Sources

Unsure about a specific message?

Paste it in - Scampilot checks text, links and numbers and explains the verdict.

Check it now